Businesses that rely on standard contractual clauses (SSCs) to transfer personal data outside the European Economic Area (EEA) just got good news. The long-awaited decision from the EU Advocate General (AG) is here: SCCs are valid. The AG’s opinion, although non-binding, is significant for the case brought by Austrian privacy activist Max Schrems against Facebook, currently before the European Court of Justice (CJEU), as the CJEU generally follows the AG’s reasoning in its decisions.
By way of background, in 2010 the European Commission issued Decision 2010/87, which adopted SCCs model. SCCs establish three sets of contractual terms intended to protect data transfers from the EEA to certain other countries, including the U.S. Two versions of the SCCs apply to data transfers from the EEA to data controllers outside the EEA, and the transfers of data from the EEA to data processors outside the EEA.
Under the General Data Protection Regulation (GDPR) (like Directive 95/46/EC which preceded its adoption), personal data may only be transferred out of the EEA to a third country if that country ensures an adequate level of data protection. Schrems previously challenged the former U.S./EU Safe Harbor, resulting in a determination that it did not assure adequate protection. The Safe Harbor was then replaced by the current EU-U.S. Privacy Shield. SCCs, the Privacy Shield, and binding corporate rules (BCRs) are currently recognized as options to assure adequacy. In this latest challenge, Schrems argued that Facebook’s SCCs were inadequate, and that SCCs in general offered insufficient protection for data transfers from the EEA to the U.S. Schrems requested that SCCs be suspended, the matter was then referred to the CJEU.
In evaluating Decision 2010/87, the AG concluded that the fact SCCs are not binding on authorities in third countries “does not in itself render that decision invalid.” The opinion goes on to state:
The compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour … that is the case in so far as there is an obligation — placed on the data controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with … the analysis of the questions has disclosed nothing to affect the validity of Decision 2010/87.
As the AG noted, the current case does not require the CJEU to rule on the lawfulness of the EU-U.S. Privacy Shield framework, which is a separate mechanism for transferring data outside the EEA. Nonetheless, the AG expressed sympathy with a separate argument by Schrems that the Privacy Shield does not offer sufficient safeguards “in the light of the right to respect for private life and the right to an effective remedy.”
These EU decisions are relevant to the current discussion about what a possible framework for federal privacy legislation should look like. As debates about privacy continue, it will be important for policymakers to remember that requirements imposed on businesses to protect key individual privacy rights must be balanced by considering the extent of possible harm to consumers, economic efficiency, innovation, and burdens to all participants in the ecosystem.